The New York Department of Financial Services has modified its cybersecurity requirements for regulated entities. These requirements are in addition to those included in the regulations as last updated in November of last year. The new requirements go into effect November 1, 2024. They modify several parts of the rule, including:
- CISOs reporting requirements: Under the current regulations, CISO must report on cybersecurity to the company's leadership. The revised regulations now require the report to include information about remediation plans. Separate from the annual report, the CISO will also need to report any material cybersecurity issues (like a breach) to senior officers.
- New responsibilities for the senior governing body: As revised, the regulations emphasize that the regulated entities' senior governing body is responsible for overseeing cybersecurity risk management. This includes understanding cybersecurity-related concepts. Senior leadership's obligations also include reviewing management reports about cybersecurity matters. And confirming that the company has devoted enough resources to implement an effective cybersecurity program.
- Encrypt all nonpublic information: The new amendments removed an exception for encrypting data that is in transit. Now, companies need to encrypt all nonpublic information being moved to external systems.
- Update the incident response plan: As amended, the regulations call for different content in regulated entities' incident response plan. This includes processes for responding to a cybersecurity event and how to recover from systems backups. IRPs will also need to have provisions for conducting root cause analyses of incidents.
- Business continuity and disaster recovery plan: As amended, the regulations clarify the requirements for disaster recovery plans. Among other things, the plans need to be in writing and identify all things necessary to continue operations during a cyber-related event. Provisions also need to be in place to train employees who implement both IRPs and the recovery plans.
- New categories for exempted companies: As revised, businesses with fewer than twenty employees or less than $7,500,000 in annual revenue over the past three years are afforded certain exemptions. This increases the previous 10 employee and $5,000,000 exemption levels. Businesses with less than $15,000,000 (instead of $10,000,000) in year-end total assets are exempt as well.
Putting it into Practice: Modifying its cybersecurity regulations may become a November tradition for NYDFS. Companies covered by the regulation should keep in mind these new obligations, especially on reporting and internal plans, when reviewing their cybersecurity programs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
